Leaked UID plan on Net fuels data theft fears
Max Martin
Bangalore, November 14, 2009
A confidential document of the Unique Identification Authority of
India (UIDAI) got leaked on the Internet on Friday. The report
acknowledges potential data vulnerabilities of the ambitious project.
The leaked document titled, "Creating a Unique Identity Number for
Every Resident in India", gives details about the plan including
proposed technology architecture, methods of collecting data and costs
involved.
The authority plans to set up a Central ID Data Repository (CIDR),
which will manage the central system, and a network of "registrars"
who will establish resident touchpoints through "enrolling agencies",
according to the document. The document also discusses issues relating
to protecting personal information of citizens and possible fraud
scenarios.
Critics have questioned the UID project for its potential to invade
privacy and to make data vulnerable to hacking and fraud. They are
circulating the document through the web and email, calling it a first
symptom of the serious leaks to come.
"The UID authority was not responding to various RTI (right to
information) requests," alleged an activist.
The inadvertent leak gives enough ammunition to critics.
The UIDAI envisions storing basic personal information as well as
certain biometrics-like the fingerprints. Though the document talks
about encrypting and ensuring data integrity, it does not have a clear
roadmap about ensuring safety.
"The authority will concern itself only with identity fraud, which is
distinct from document fraud," it says. "Document fraud-the use of
counterfeited/ misleading documents to enter incorrect personal
information-will be the responsibility of the registrar enrolling the
resident." The process of enrolment will be done by various
agencies-that give passport, insurance, bank account or rural
employment. There is no clarity on how to ensure data protection at
these ends.
About the leak of a confidential document, authority chairman Nandan
Nilekani told Mail Today: "Everything is public." The authority
envisions storing basic personal information as well as certain
biometrics.
"However, limiting its scope to this and not linking this information
to financial/ other details does not make the resident records in the
database nonsensitive," the document acknowledges. "Biometric
information, for example, is often linked to banking, social security
and passport records. Basic personal information such as date of birth
is used to verify owners of credit card/ bank accounts and online
accounts." The report notes that such information will, therefore,
have to be protected. "Loss of this information risks the resident's
financial and other assets as well as reputation, when the resident is
a victim of identity theft."
-----------------------
@i$#w@ry@!
No comments:
Post a Comment